vfs_fruit: ignore Set-ACL requests with zero ACEs

Workaround for a new behaviour in latest macOS versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index a2a382e608718c934f846e476f47658ab7151325..333f8678e61d9c4a8cbade5a917194fa033ab353 100644 (file)
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -463,6 +463,24 @@
             </listitem>
          </varlistentry>
 
+         <varlistentry>
+           <term>fruit:ignore_zero_aces = yes | no</term>
+           <listitem>
+
+             <para>When <parameter>fruit:ignore_zero_aces</parameter> is
+             enabled, attempts to modify filesystem permissions fail if the ACL
+             sent over the wire contains no ACEs. This is completely valid
+             client behaviour, but it means subsequently no further access is
+             possible to the file, unless permissions get fixed by an
+             administrator.</para>
+             <para>This problematic behaviour has been reported for latest
+             macOS versions and this new option allows to work around
+             it.</para>
+             <para>The default is <emphasis>yes</emphasis>.</para>
+
+            </listitem>
+         </varlistentry>
+
        </variablelist>
 </refsect1>
 

diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index f044e755349e99cdb196505cdf72381792f22335..d4f2cbc06c89a14d56d4f814e4e177f57e8cf00e 100644 (file)
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -138,6 +138,7 @@ struct fruit_config_data {
        bool delete_empty_adfiles;
        bool validate_afpinfo;
        bool veto_localized;
+       bool ignore_zero_aces;
 
        /*
         * Additional options, all enabled by default,
@@ -344,6 +345,11 @@ static int init_fruit_config(vfs_handle_struct *handle)
        config->posix_opens = lp_parm_bool(
                SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, "posix_opens", true);
 
+       config->ignore_zero_aces = lp_parm_bool(SNUM(handle->conn),
+                                               FRUIT_PARAM_TYPE_NAME,
+                                               "ignore_zero_aces",
+                                               true);
+
        config->aapl_zero_file_id =
            lp_parm_bool(SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME,
                         "zero_file_id", true);
@@ -4633,6 +4639,7 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
                                  uint32_t security_info_sent,
                                  const struct security_descriptor *orig_psd)
 {
+       struct fruit_config_data *config = NULL;
        NTSTATUS status;
        bool do_chmod;
        mode_t ms_nfs_mode = 0;
@@ -4640,6 +4647,10 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
        struct security_descriptor *psd = NULL;
        uint32_t orig_num_aces = 0;
 
+       SMB_VFS_HANDLE_GET_DATA(handle, config,
+                               struct fruit_config_data,
+                               return NT_STATUS_UNSUCCESSFUL);
+
        if (orig_psd->dacl != NULL) {
                orig_num_aces = orig_psd->dacl->num_aces;
        }
@@ -4651,6 +4662,13 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
 
        DBG_DEBUG("%s\n", fsp_str_dbg(fsp));
 
+       if (config->ignore_zero_aces && (psd->dacl->num_aces == 0)) {
+               /*
+                * Just ignore Set-ACL requests with zero ACEs.
+                */
+               return NT_STATUS_OK;
+       }
+
        status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp)));